Sonatype Blog: Latest Posts

OSS Compliance: Lead or be Led, Your Choice

In case you missed it, we published the results of our Developer Survey as a PDF. One of the things we did this year was post some comparisons to last year’s survey, specifically the changing attitudes toward OSS license compliance and policy. Here’s a statistic that caught my attention:

These two ends of spectrum – no standards vs. total lock down – had huge movement between 2011 and 2012, and I predict that we’re going to see the same sort of movement in next year’s survey. Open source compliance is top of mind for a few reasons, but I think that the trend can be explained by the timing of corporate adoption of OSS over the last decade and the average lifecycle of enterprise development.

My general sense about open source adoption is that it didn’t hit the mainstream for Java developers until the beginning of the last decade. 2001 saw an explosion of activity at Jakarta (Struts, Tomcat, Maven, Ant), each subsequent year showed a constant increase in open source usage (particularly in the Java space), but larger business didn’t really start moving toward wide-scale OSS adoption until the last half of the decade (Springsource and JBoss). While mainstream open source Java is more than a decade old at this point, larger business only made the jump to OSS five to seven years ago.

Couple this with average lifecycle of an enterprise application. Larger companies tend to invest in an application, architect a system and watch it mature over 5-10 years. This means that applications that were once relying on proprietary components are coming up for redesign just now. Every year there’s a new crop of applications coming up for redesign. Enterprises that embark on new application development now have a rich array of open source components to choose from and OSS in the business has matured to include rigorous compliance efforts.

Compliance is top of mind for businesses these days. With security incidents and IP litigation making front-page news almost every week, it is one of the first questions management asks when people are starting to use OSS software. What licenses are we using? Do we have a process for identifying our exposure to security risk? As a developer, you can decide to integrate tools like Nexus Professional 2.0 and take the lead in compliance reporting, or you can wait around for your lawyers to dictate your technology adoption process. This responsibility is still evolving and developers have an opportunity to choose to either lead through action or be led by someone else taking responsibility.